Upgrade @redocly/openapi-core from 1.x to 2.x to resolve minimatch vulnerability (GHSA-3ppc-4f35-3m26) #2644
Description
Description
Summary
openapi-typescript v7.x depends on @redocly/openapi-core@^1.x, which includes minimatch as a dependency. minimatch versions below 10.2.1 are vulnerable to a ReDoS attack (GHSA-3ppc-4f35-3m26).
@redocly/openapi-core@2.x has dropped minimatch entirely, which would resolve this vulnerability.
Current behaviour
openapi-typescript@7.x
└── @redocly/openapi-core@^1.x
└── minimatch (vulnerable < 10.2.1)
Expected behaviour
openapi-typescript@8.x
└── @redocly/openapi-core@^2.x ← no minimatch dependency
References
- GHSA-3ppc-4f35-3m26 — minimatch ReDoS vulnerability
- @redocly/openapi-core changelog showing minimatch removed in 2.x
Proposal
Upgrade the @redocly/openapi-core dependency from ^1.x to ^2.x in a new major version of openapi-typescript (v8). This would eliminate the minimatch transitive dependency entirely, resolving the
security advisory.
If there are breaking API changes between @redocly/openapi-core 1.x and 2.x that affect openapi-typescript internals, we'd be happy to help test or contribute to the migration if needed.
Extra
- I’m willing to open a PR (see CONTRIBUTING.md)